Microsoft AZ-801 Configuring Windows Server Hybrid Advanced Services Exam Dumps and Practice Test Questions Set 1 Q1-20

Visit here for our full Microsoft AZ-801 exam dumps and practice test questions.

Question 1

A company is implementing hybrid identity and wants to ensure users can sign in with the same credentials both on-premises and in Azure AD. Which deployment will least likely meet the requirement?

A) Password Hash Synchronization with Azure AD Connect
B) Pass-through Authentication with Azure AD Connect
C) Federation using AD FS (Active Directory Federation Services)
D) Azure AD Domain Services (managed domain)

Answer: D

Explanation: 

Choice A describes synchronizing password hashes from on-premises Active Directory to Azure AD. This approach enables users to sign in to Azure services using the same username and password. It meets the single-credential requirement while being simple to deploy and resilient. It does not require maintaining an authentication infrastructure beyond Azure AD Connect, and authentication occurs in Azure AD after a successful hash sync.

Choice B describes a pass-through authentication model that sends users’ authentication requests to on-premises domain controllers via a lightweight agent. This preserves live authentication against on-premises credentials and supports the same username/password experience across cloud and on-premises resources. It also supports seamless single sign-on scenarios when combined with integrated Windows auth on domain-joined devices.

Choice C covers federation with AD FS. This delegates authentication to on-premises AD FS, providing the same credential experience and advanced authentication control (for example, complex claims rules or custom MFA integrations). Federation requires additional infrastructure (AD FS servers, proxies) and careful high-availability planning, but it still delivers the same-sign-in experience across environments.

Choice D, Azure AD Domain Services (managed domain), provides a managed NTLM/Kerberos-compatible domain in Azure that supports legacy protocols. However, it does not sync user passwords back for live authentication to on-premises resources and is a separate managed domain instance. While it allows cloud-based VMs to join a domain without domain controllers, it does not provide the same seamless credential validation against the on-premises Active Directory for all scenarios. Azure AD Domain Services is primarily intended for lifting-and-shifting legacy applications to Azure rather than as a core hybrid authentication mechanism for users across both on-premises and Azure AD.

Password Hash Sync, Pass-through Authentication, and Federation all ensure that user sign-in to Azure AD reflects on-premises credentials—either by copying the hash, validating against on-premises controllers, or delegating to AD FS. Azure AD Domain Services creates a managed domain in Azure but is not designed to be the primary mechanism to ensure identical credential validation against on-premises AD for typical hybrid sign-in scenarios. Therefore, it is the least likely to meet the requirement that users use the same credentials seamlessly across on-premises and Azure AD.

Question 2

A datacenter hosts a cluster of Hyper-V hosts running critical VMs. The team needs a low-RTO solution to maintain VM availability in Azure during a site outage. Which Azure service provides replication and orchestrated failover for Hyper-V VMs?

A) Azure Backup
B) Azure Site Recovery
C) Azure Migrate
D) Azure Resource Health

Answer: B

Explanation: 

Choice A, Azure Backup, is focused on backup and restore capabilities for workloads, including VMs and files. It protects data by creating recovery points and allows restores at various granularities, but it is not purpose-built for near-instant failover and orchestrated disaster recovery. Recovery time objectives with backup-based restores are typically higher because they require provisioning target resources and restoring data before services resume.

Choice B, Azure Site Recovery, is specifically designed for replication and orchestrated failover of on-premises VMs (including Hyper-V) to Azure. It continuously replicates VMs to a secondary location (in this case, Azure), supports test failovers without impacting production, provides runbooks for orderly failover and failback operations, and helps achieve low RTO and RPO depending on configuration and network bandwidth. It integrates with Azure Site Recovery services to automate recovery plans and sequencing, which is ideal for business continuity scenarios requiring minimal downtime.

Choice C, Azure Migrate, assists with discovery, assessment, and migration of on-premises workloads to Azure. It helps plan and perform large-scale migrations and can recommend VM sizing and cost estimates, but it is not an orchestration tool for real-time replication and failover during disasters.

Choice D, Azure Resource Health, is an Azure monitoring service that reports the health of Azure services and resources. It helps diagnose and get support during outages but does not provide replication or failover capabilities for on-premises Hyper-V VMs.

Reasoning about the correct choice requires matching the goal—low recovery time objective and orchestrated failover—with the service functionality. Azure Backup is for protection and restoring data; it doesn’t provide automated failover orchestration. Azure Migrate focuses on planning and migrating workloads rather than on continuous replication for failover. Azure Resource Health is informational. Azure Site Recovery, on the other hand, was created to continuously replicate on-premises Hyper-V and VMware VMs to Azure, provide test failovers, support custom recovery plans, and orchestrate failover/failback—making it the appropriate tool for maintaining VM availability in Azure during a datacenter outage.

Question 3 

An admin must provide secure administrative access to domain-joined servers in Azure without exposing management ports broadly. Which approach most directly reduces persistent management exposure while enabling on-demand secure access?

A) Enable public RDP/SSH on a jump box with NSG rules
B) Use Azure Bastion for browser-based RDP/SSH over TLS
C) Configure VPN point-to-site to access the VNet containing servers
D) Open management ports and restrict by source IP

Answer: B

Explanation: 

Choice A suggests exposing a jump box with public RDP/SSH access but limiting traffic via network security group rules. While using a hardened jump host can centralize administrative access, publicly exposing RDP/SSH even with NSG restrictions increases attack surface and requires managing public endpoints, certificates, and firewall rules. It’s less desirable from a security posture perspective because the jump box itself becomes a high-value target.

Choice B, Azure Bastion, provides managed, browser-based RDP and SSH connectivity to virtual machines in a virtual network, delivered over TLS through the Azure portal. It eliminates the need for public IP addresses on VMs, avoids exposing RDP/SSH ports to the internet, and integrates with Azure RBAC and conditional access for additional control. Bastion also reduces administrative overhead because Microsoft manages the platform and scaling, and it provides a secure channel without configuration of VPNs or jump hosts.

Choice C, deploying a VPN point-to-site, allows administrators to securely connect into the virtual network and then RDP/SSH to VMs as if on the same network. This reduces exposure of management ports to the internet but requires client VPN configuration, certificate or authentication management, and may be operationally heavier for ad-hoc access. It’s secure but less seamless than Bastion for browser-based access and requires endpoint clients.

Choice D, opening management ports and restricting by source IP, attempts to secure access by limiting source addresses. However, source IP filtering can be brittle: admins often work from dynamic IPs, and attackers can spoof or pivot from allowed sources. This approach leaves management ports publicly reachable and thus increases residual risk.

Reasoning focuses on minimizing persistent exposure while enabling secure access. Exposing public RDP/SSH even with restrictions leaves public-facing endpoints and requires careful management. VPNs provide security but add client-side complexity and lifecycle management. Opening ports with IP restrictions is brittle and less secure. Azure Bastion directly addresses the requirement by avoiding public IPs on VMs and providing on-demand secure access via the portal over established TLS, reducing attack surface and administrative complexity—making it the most appropriate choice.

Question 4

When extending an on-premises Active Directory to Azure using Azure AD Connect, which synchronization feature prevents accidental deletion of many users in Azure AD if they are removed on-premises?

A) Staging mode
B) Password writeback
C) Soft-delete protection
D) Azure AD Connect cloud-only deletion threshold (prevent accidental large deletes)

Answer: D

Explanation: 

Choice A, staging mode, configures an additional Azure AD Connect server as a standby to be used for high availability or migration; it does not change synchronization behavior related to deletions. Staging mode can receive configuration and synchronization information, but it does not directly protect against mass deletions caused by the primary connector.

Choice B, password writeback, allows password changes made in Azure AD (for example during self-service password reset) to be written back to the on-premises Active Directory. This feature helps with hybrid password management and user experience but is unrelated to deletion protection.

Choice C, soft-delete protection, sounds like a generic protective feature but in the context of Azure AD Connect the typical mechanism for accidental deletions is the prevention threshold for cloud-only deletes. Azure AD has soft-delete behavior for individual objects where deleted objects go to a Recycle Bin and can be restored within a retention period, but soft-delete alone doesn’t prevent mass synchronized deletions triggered by a connector.

Choice D refers to the built-in safeguards that Azure AD Connect can enforce to prevent accidental large-scale deletions in Azure AD due to synchronization. The sync engine includes a deletion threshold parameter that prevents the connector from performing cloud deletes above a configured percentage or absolute number, requiring admin review before a bulk deletion is permitted. This safeguard helps avoid catastrophic unintended mass deletions caused by misconfiguration or accidental removal in the on-premises directory and is a direct mechanism to prevent accidental wholesale deletions in Azure AD.

Reasoning about the correct answer requires mapping the intended protective behavior to the features available. Staging mode and password writeback are valid Azure AD Connect capabilities but do not mitigate mass deletion risk. Soft-delete addresses recoverability for individual deletions but not prevention of bulk synchronized deletes. The deletion threshold feature (or cloud-only deletion threshold) explicitly blocks or pauses large-scale deletions initiated by sync, thereby protecting Azure AD from accidental mass removals—making that the correct selection.

Question 5

A team wants to manage and apply Windows updates to hybrid Windows Server 2022 machines across on-premises and Azure. Which Microsoft solution provides unified update management, compliance reporting, and orchestration for both environments?

A) Windows Server Update Services (WSUS) only
B) Azure Update Manager (Update Management in Azure Automation / Microsoft Intune + Update Compliance)
C) Manual updates via RDP/PowerShell scripts scheduled by Task Scheduler
D) Windows Update for Business alone

Answer: B

Explanation: 

Choice A, WSUS, provides centralized patch management for on-premises Windows servers and clients, enabling approval-based deployment of updates. WSUS can be extended to support Azure-connected machines via VPN or hybrid networks, but it lacks built-in cloud-native reporting across Azure and Intune-managed endpoints and requires infrastructure management. It doesn’t natively offer unified management for cloud-only and Intune-managed devices without further integration.

Choice B refers to Azure’s suite of update management capabilities—services such as Update Management in Azure Automation, Microsoft Intune for policy-driven updates, and Update Compliance reporting via Azure Monitor/Log Analytics. Together, these provide centralized control, scheduling, compliance reporting, and orchestration across hybrid environments. Update Management allows scheduling patch deployments, tracking installation status, and assessing compliance for machines connected to Log Analytics. Intune and Update Compliance augment management for modern and cloud-managed devices, giving visibility and policy enforcement across on-premises and Azure-hosted servers.

Choice C, manual updates via RDP or PowerShell scripts scheduled locally, is ad-hoc and does not scale well. It lacks centralized reporting, compliance tracking, and orchestration. While scripting can automate deployment to an extent, it requires significant operational overhead and increases risk of inconsistencies.

Choice D, Windows Update for Business, targets client devices and provides deferral, ring-based deployment policies for Windows 10/11 clients, and integrates with Intune. It is not designed for server-centric patch management for Windows Server 2022 in heterogeneous hybrid datacenter environments by itself.

Reasoning centers on seeking a solution that natively handles both on-premises and Azure-hosted servers with centralized orchestration and reporting. WSUS alone is server-centric and requires additional integration for cloud coverage. Manual approaches are inefficient and risky. Windows Update for Business is client-focused. Azure Update Manager and the combined Azure services offer the hybrid reach, centralized control, scheduled deployments, and compliance visibility required to manage Windows Server updates across on-premises and Azure—making it the correct choice.

Question 6

A company migrates several on-premises file servers to Azure using Windows Server 2022 VMs. They require centralized file access auditing and classification across both on-premises and cloud servers. Which Windows Server feature best supports this hybrid requirement?

A) Storage Spaces Direct
B) File Server Resource Manager (FSRM)
C) Distributed File System Replication (DFSR)
D) NTFS Quotas

Answer: B

Explanation: 

Choice A, Storage Spaces Direct, provides hyperconverged storage capabilities that aggregate disks across cluster nodes to create highly available storage pools. While it benefits scenarios involving scalable storage clusters, it does not provide classification, auditing, or file management across hybrid environments. Its focus is on high availability and performance for local cluster workloads rather than on managing or monitoring files across on-premises and cloud-based file servers.

Choice B, File Server Resource Manager (FSRM), supports comprehensive file classification, quota management, file screening, reporting, and storage usage monitoring. FSRM provides the ability to classify files based on content or location, generate audit and compliance reports, and enforce policies such as file screening rules. Because FSRM is a Windows Server role that can be deployed on both on-premises and Azure VMs, it enables consistent policy enforcement and file auditing across hybrid environments. The File Classification Infrastructure within FSRM also integrates with other compliance tools, enabling organizations to maintain visibility and control of data wherever the file server is hosted.

Choice C, Distributed File System Replication (DFSR), supports data replication between servers to keep folders synchronized. Although useful for redundancy and distributed access, DFSR does not provide the auditing, classification, or reporting functionality required in this scenario. DFSR focuses on multi-master replication and resiliency, not on compliance, file categorization, or hybrid governance.

Choice D, NTFS Quotas, restricts disk usage at the volume or folder level. Although it provides basic usage limitations, it lacks the deep reporting, classification, content analysis, and auditing features needed for enterprise-level data governance.

The reasoning for selecting the correct answer revolves around identifying the feature designed specifically for content auditing and classification. Only File Server Resource Manager supplies centralized file classification, reports on file types and usage, screens undesirable file types, and enforces rules about data placement and usage. It operates consistently on any Windows Server, whether on-premises or in Azure VMs, providing a unified hybrid experience. The other features focus on hardware storage aggregation, replication, or quota enforcement, none of which provide detailed classification or hybrid file auditing. Therefore, FSRM is the most appropriate choice for organizations that need centralized file auditing and classification in a hybrid Windows Server deployment.

Question 7

You are configuring Kerberos constrained delegation (KCD) for a hybrid application distributed across on-premises Windows Servers and Azure-hosted servers. Which requirement must be met to enable KCD in this hybrid environment?

A) Servers must run Windows Server Essentials edition
B) Application servers must be joined to the same Active Directory forest
C) The application must use NTLM authentication only
D) Servers must use local user accounts for delegation

Answer: B

Explanation: 

Choice A suggests using Windows Server Essentials edition for Kerberos constrained delegation. However, KCD is unrelated to server edition and is supported on Standard and Datacenter editions commonly used in enterprise environments. Essentials has limitations around domain size and features, but KCD is not dependent on this edition. Therefore, this choice does not satisfy the requirement for enabling delegation.

Choice B states that application servers must be joined to the same Active Directory forest. KCD relies on Kerberos protocol capabilities, which are tightly bound to the Active Directory domain and forest where service principal names (SPNs) are registered, and delegation settings are configured. In a hybrid environment, Azure-hosted servers can join the on-premises Active Directory domain using VPN or ExpressRoute connectivity, thus enabling domain-based Kerberos authentication. All participating servers must exist within the same forest so that domain controllers can issue Kerberos service tickets and apply delegation permissions consistently. Without a common Kerberos trust boundary, constrained delegation is not possible.

Choice C indicates that the application must use NTLM authentication. Kerberos constrained delegation fundamentally requires Kerberos-based authentication, not NTLM. NTLM does not support constrained delegation because it lacks the service ticket structure and authorization data required for secure, selective delegation. Hybrid applications that fall back to NTLM would break KCD functionality.

Choice D suggests that servers must use local user accounts. Local accounts do not participate in Kerberos authentication, do not possess SPNs, and cannot be configured for delegation. Kerberos works only with domain accounts, making this option incompatible with any form of Kerberos delegation.

The reasoning for selecting the correct answer centers on Kerberos dependency on domain membership and forest scope. Kerberos constrained delegation requires the authoritative identity store—Active Directory—to manage SPNs and delegation rights. All servers participating in the authentication chain must reside within the same forest to allow domain controllers to validate service tickets and enforce delegation policies. Other choices either rely on NTLM, local accounts, or server editions that are irrelevant. Therefore, domain membership in the same forest is mandatory for hybrid Kerberos constrained delegation, making option B the correct answer.

Question 8

An organization uses Windows Server failover clustering in Azure to host a highly available SQL Server instance. They need a shared storage solution supported in Azure for this clustered deployment. Which option should they use?

A) Cluster Shared Volumes on local VM disks
B) Azure Files with SMB 3.0
C) Azure Managed Disks (non-shared configuration)
D) Storage Spaces Direct without cluster networking

Answer: B

Explanation: 

Choice A, Cluster Shared Volumes on local VM disks, cannot function properly in Azure because local VM-attached disks are not shared between virtual machines. CSV requires block-level shared storage accessible by all cluster nodes simultaneously. Azure does not support sharing a single attached disk across multiple VMs, making this configuration unsuitable for clustered SQL Server workloads.

Choice B, Azure Files with SMB 3.0, is a supported shared storage solution for Windows Server failover clusters in Azure. Azure Files provides a fully managed file share that supports symmetric access from multiple VMs and integrates with Active Directory for identity-based access control. SMB 3.0 adds features such as continuous availability, multichannel support, and improved resiliency, which are critical for cluster operations. Azure Files can be mounted simultaneously on cluster nodes, allowing SQL Server or other clustered applications to leverage shared storage in the cloud without requiring traditional SAN infrastructure.

Choice C, Azure Managed Disks in non-shared mode, does not allow multiple VMs to attach the same disk concurrently. Although Azure now supports shared managed disks for certain scenarios, the option as presented (non-shared configuration) explicitly prevents shared access. Non-shared disks are suitable only for standalone workloads, not failover clustering relying on shared storage.

Choice D, Storage Spaces Direct without cluster networking, cannot function because S2D requires high-speed, low-latency east–west cluster networking between nodes to pool and synchronize disks. Deploying S2D without proper networking eliminates its core functionality, preventing the creation of cluster-accessible distributed volumes. Without S2D’s required network and storage components, cluster storage cannot be established.

The reasoning behind selecting the correct answer focuses on identifying a storage service that is simultaneously accessible by multiple Azure VMs in a cluster and is officially supported for clustered workloads. Azure Files delivers a durable SMB-based shared storage system fully compatible with Windows Server failover clustering requirements. The other options either rely on local-only storage, do not provide shared access, or omit essential components for cluster operations. Therefore, Azure Files with SMB 3.0 is the appropriate shared storage solution for clustered SQL Server deployments in Azure.

Question 9

You are configuring Windows Admin Center (WAC) to manage a hybrid environment that includes on-premises Windows Server 2022 hosts and Azure-based servers. Which additional configuration is required to enable Azure Hybrid Services integration within WAC?

A) Install the DNS Server role on the WAC gateway
B) Register WAC with Azure using Azure Arc or WAC’s Azure registration workflow
C) Enable Hyper-V role on the WAC gateway server
D) Configure DFS Namespaces on all managed servers

Answer: B

Explanation: 

Choice A, installing the DNS Server role on the WAC gateway, is unrelated to enabling Azure integration. WAC does not require DNS services to activate hybrid capabilities. While DNS is important for name resolution within a network, it does not provide any connectivity or authentication capability required for Azure Hybrid Services. Therefore, installing a DNS role would not activate or influence hybrid service registration.

Choice B describes registering Windows Admin Center with Azure using its built-in Azure registration workflow or by onboarding the servers through Azure Arc. This registration process is essential because Azure services rely on authenticated, tenant-linked identity and authorization. By registering WAC with Azure, you allow WAC to communicate securely with Azure APIs, enabling hybrid features such as Azure Backup, Azure Monitor, Azure Update Management, and Azure Security Center integrations. The workflow creates the required Azure AD applications, service principal configurations, and resource connections enabling the seamless extension of WAC-managed servers into Azure.

Choice C, enabling the Hyper-V role on the WAC gateway server, is unnecessary unless you intend the gateway to manage local virtual machines. WAC does not require Hyper-V on the gateway to interact with Azure services. Hyper-V only becomes relevant for virtualization management, not for enabling hybrid integration with Azure.

Choice D, configuring DFS Namespaces on all managed servers, focuses on file system organization and distributed namespace management for SMB file shares. DFS does not affect hybrid connectivity or Azure service activation and has no relationship with the Azure Hybrid Services framework inside WAC.

The reasoning behind selecting the correct answer focuses on the prerequisite for enabling any Azure-based hybrid service through Windows Admin Center. Azure integration demands that the WAC gateway or the managed servers be authenticated within an Azure tenant. Registering WAC with Azure creates a secure trust and enables communication channels required for hybrid capabilities. This step is mandatory for hybrid service activation such as Azure Site Recovery, Azure Backup, Azure Monitoring, or Update Management. The other options relate to roles or features irrelevant to Azure onboarding. Therefore, registering WAC with Azure is the only configuration required to enable Azure Hybrid Services in WAC.

Question 10

An organization wants to implement Just-Enough Administration (JEA) to reduce privileged access on their Windows Server 2022 systems. Which component is essential when configuring JEA endpoints?

A) Distributed File System Replication groups
B) PowerShell role capability files
C) Windows Server Update Services groups
D) Local Security Policy password filters

Answer: B

Explanation: 

Choice A, DFS Replication groups, play no role in configuring JEA) DFSR is a file replication technology used to synchronize folders across servers. It has no link to permission scoping, role definitions, or PowerShell-based administration. While DFS may be part of a broader administrative infrastructure, it does not influence JEA configurations or endpoints.

Choice B identifies PowerShell role capability files, which are fundamental to implementing JEA functionality. JEA works by defining which commands a delegated user can execute when they connect to a JEA-enabled endpoint. These allowed commands, modules, and functions are stored in role capability files (.psrc files). Administrators build these files to specify permitted actions and then link them to session configuration files that define the overall constraints for the endpoint. Without role capability files, there would be no mechanism for assigning granular administrative permissions or limiting the scope of delegated operations.

Choice C, WSUS groups, regulate patch deployment schedules and classifications but do not participate in security delegation or PowerShell endpoint configuration. Managing software updates is separate from defining granular role-based administrative controls.

Choice D, Local Security Policy password filters, pertain to enforcing custom password validation rules on a domain or local computer. While these filters may enhance password security, they are completely unrelated to JEA, which deals with limiting administrative actions rather than password enforcement rules.

The reasoning behind selecting the correct answer centers on understanding how JEA enforces least-privilege administration. PowerShell role capability files define the specific high-level and low-level actions that delegated users may perform, effectively controlling their administrative footprint. They are the core of JEA because they allow administrators to translate principle-of-least-privilege policies into enforceable operational rules. The other choices relate to replication, patch management, and password security—none of which address granular, command-level administrative authorization. Therefore, PowerShell role capability files are the essential component required for configuring JEA endpoints.

Question 11

You are deploying Azure Arc–enabled servers to manage on-premises Windows Server 2019 and 2022 machines through Azure. Which requirement must be satisfied before a server can be onboarded to Azure Arc?

A) The server must run the Hyper-V role
B) The server must have direct internet connectivity to Azure endpoints
C) The server must be joined to Azure AD Domain Services
D) The server must host a failover cluster instance

Answer: B

Explanation: 

Choice A states that the server must run Hyper-V, but Azure Arc does not require any virtualization roles. Arc onboarding uses an agent-based approach that works on physical machines, virtual machines, and servers running on any hypervisor. Hyper-V plays no role in enabling Arc management capabilities; therefore, this requirement is unnecessary.

Choice B highlights direct internet connectivity to Azure endpoints, which is essential for Azure Arc onboarding. Azure Arc relies on outbound HTTPS communication from the hybrid server to Azure resource providers. The agents installed on the server communicate with Azure to register the machine, send inventory and monitoring data, apply policy, and integrate with services like Azure Update Manager or Azure Monitor. Without outbound connectivity to Azure endpoints, the server cannot authenticate, enroll, or maintain connection health.

Choice C suggests that the server must be joined to Azure AD Domain Services. Domain membership in either on-premises AD or Azure AD DS is optional and not required for Azure Arc onboarding. Arc can onboard standalone, domain-joined, or cloud-joined servers. Although Azure AD DS may provide identity integration, Arc onboarding does not mandate this membership.

Choice D implies that the server must host a failover cluster instance. Azure Arc supports standalone servers and cluster members alike, but running a cluster role is not a prerequisite. Arc management functions apply regardless of workload type.

The reasoning behind selecting the correct answer focuses on understanding the communication model for Azure Arc. Arc extends Azure management capabilities to any server by installing a lightweight agent that relies on secure outbound communication to Azure Resource Manager. Without internet access to Azure endpoints—or an approved proxy configuration—the server cannot authenticate or publish status information to Azure. The other choices relate to server roles or domain membership that are irrelevant to Arc’s agent and onboarding model. Therefore, outbound internet connectivity is the essential requirement for onboarding servers into Azure Arc.

Question 12

You need to ensure secure synchronization of passwords from on-premises Active Directory to Azure AD using Azure AD Connect. Which feature must be enabled to allow reversed password flow from Azure AD back to on-premises AD for hybrid users who reset their passwords in the cloud?

A) Seamless Single Sign-On
B) Password Writeback
C) Pass-through Authentication
D) AD FS Claims Rules

Answer: B

Explanation: 

Choice A, Seamless Single Sign-On, provides users with the convenience of automatic sign-in when they are on a corporate network. It enables Kerberos-based authentication so that users don’t need to type credentials repeatedly. However, it does not allow password changes made in Azure AD to propagate back to on-premises Active Directory. It strictly handles sign-in convenience, not password synchronization in reverse.

Choice B, Password Writeback, is the feature explicitly designed to handle scenarios where users reset or change their passwords in Azure AD (including through self-service password reset). When enabled, Password Writeback sends those password changes securely back to the on-premises Active Directory domain controllers, ensuring that on-premises credentials remain in sync with cloud changes. This feature requires Azure AD Connect and an appropriate Azure AD license but is the only mechanism that directly supports reverse password synchronization. For hybrid organizations, enabling Password Writeback ensures consistent password state across cloud and on-premises systems even when users primarily interact with cloud services.

Choice C, Pass-through Authentication, validates user passwords directly against domain controllers. Authentication requests from Azure AD are routed through an agent to on-premises AD for real-time validation. While this preserves the single password experience, it does not support password changes made in Azure AD being pushed back to on-premises AD. Pass-through authentication handles sign-in flow, not password reset synchronization.

Choice D, AD FS Claims Rules, are used to customize authentication flows and create complex claims-based access control policies. Although AD FS can support sign-in in a hybrid identity scenario, it does not provide functionality for synchronizing password changes back to on-premises AD. Claims rules simply evaluate and issue claims during authentication and authorization but do not influence password lifecycle operations.

The reasoning behind the correct answer is based on identifying the only Azure AD Connect feature that allows bidirectional password handling. Most synchronization features—such as Seamless SSO and Pass-through Authentication—focus strictly on how users authenticate. AD FS claims rules affect token issuance, not synchronization. Only Password Writeback is designed to securely take a password change initiated in Azure AD and commit it back to the authoritative on-premises AD. Thus, Password Writeback is the necessary feature for reversed password flow in hybrid identity setups.

Question 13

A company hosts a Windows Server–based distributed application across Azure and on-premises sites. They want to implement network security that evaluates identity, device state, and contextual access before allowing servers to communicate. Which solution best supports this requirement?

A) Traditional Network Security Groups (NSGs) only
B) Azure Firewall without threat intelligence
C) Zero Trust access using Azure AD Conditional Access + Defender for Cloud
D) Basic IP allowlists on perimeter firewalls

Answer: C

Explanation: 

Choice A, Network Security Groups, filter traffic based on layer 3 and layer 4 rules such as IP address, port, and protocol. While NSGs are important for segregating workloads, they do not incorporate identity-driven or conditional access policies. They cannot validate device compliance or user identity context. Thus, NSGs alone cannot meet the requirement for contextual, identity-based security across hybrid workloads.

Choice B, Azure Firewall without threat intelligence, provides centralized packet filtering and routing but focuses on network-level protection. Although Azure Firewall adds Layer 7 capabilities and threat intelligence when enabled, the scenario explicitly mentions evaluating identity and device posture. Basic Azure Firewall configurations do not provide identity-based zero trust access control for server-to-server communication. Without advanced threat intelligence or integration with identity protection, Azure Firewall alone does not meet the stated requirement.

Choice C, Zero Trust access using Azure AD Conditional Access combined with Defender for Cloud, directly addresses the requirement. Zero Trust frameworks validate user identity, device health, location, and risk signals before granting access. Azure AD Conditional Access enforces these contextual policies, while Defender for Cloud extends identity-based microsegmentation and workload protection across both Azure and hybrid environments. Defender for Cloud can enforce adaptive access control, monitor posture, and integrate tightly with Azure AD for identity-aware decisions. This combination creates policies that evaluate identity, device compliance, and session context before allowing communication between hybrid servers.

Choice D, basic IP allowlists on perimeter firewalls, provide static filtering based solely on IP addresses. Such rules do not evaluate identity, device compliance, risk score, or session context. They are one of the least dynamic and least secure approaches for distributed hybrid applications requiring modern contextual security.

The reasoning behind selecting the correct answer highlights that identity-driven and context-aware security is the foundation of Zero Trust architecture. Only Azure AD Conditional Access and Defender for Cloud provide this integrated, adaptive, hybrid-aware environment. NSGs, basic firewalls, and IP allowlists offer static filtering and do not fulfill the identity or device-state evaluation requirement. Therefore, Zero Trust with Azure AD Conditional Access and Defender for Cloud is the correct solution.

Question 14

You are implementing Storage Replica to replicate data between a Windows Server 2022 cluster in Azure and another in an on-premises datacenter. Which requirement must be satisfied for Storage Replica to work across both sites?

A) Both sites must use identical VM sizes
B) A network with sufficient bandwidth and low latency for log replication
C) Both sites must use ReFS only
D) Both clusters must be in the same Active Directory domain

Answer: B

Explanation: 

Choice A suggests that both sites must use identical VM sizes. Storage Replica does not require symmetry in VM size or hardware resources. While performance differences can influence replication throughput, identical VM sizing is not mandatory for replication to function. Therefore, this is not a requirement.

Choice B, a network with sufficient bandwidth and low latency, is essential for Storage Replica. Storage Replica uses log-based replication where writes are captured and transmitted between sites. Synchronous replication requires extremely low latency to maintain write consistency, while asynchronous replication requires enough bandwidth to handle log traffic and avoid accumulation. Poor bandwidth or high latency causes delays, replication backlogs, or even failures. Replication between Azure and on-premises environments typically uses VPN or ExpressRoute, but the underlying requirement remains: a stable, high-performance network connection capable of supporting log traffic between the servers.

Choice C, requiring ReFS exclusively, is incorrect. Storage Replica supports both NTFS and ReFS volumes. There is no mandate that both ends must use ReFS. Administrators can choose the format depending on workload needs, and mixed-use is supported.

Choice D, requiring both clusters to exist in the same Active Directory domain, is also incorrect. While domain membership is required, cross-domain replication is supported as long as appropriate trust relationships exist. Storage Replica is flexible in domain topology, and the key dependencies relate more to networking and storage configuration than domain uniformity.

The reasoning behind selecting the correct answer focuses on understanding what Storage Replica relies on. Log replication is sensitive to latency and throughput; without a suitable network, replication fails or becomes unreliable. Other dependencies—volume format, VM size, or domain sameness—do not prevent Storage Replica from functioning. Therefore, adequate bandwidth and low latency are mandatory for Storage Replica in hybrid Azure–on-premises deployments.

Question 15 

You manage a Windows Server 2022 cluster running several virtual machines. You need to ensure that if one node fails, specific high-priority VMs start first on the remaining nodes before lower-priority VMs. You must configure the cluster to automatically control failover order without manual intervention. What should you configure?

A) VM anti-affinity rules
B) VM priority settings
C) Cluster quorum witness
D) Preferred owner settings

Answer: B

Explanation: 

Understanding each of the presented choices helps clarify how Windows Server failover clustering manages virtual machines when hardware issues or node failures occur. The first choice, VM anti-affinity rules, controls placement so that specified virtual machines do not run on the same host simultaneously. This is useful for redundancy or spreading workloads across available nodes, but it does not influence the order in which virtual machines start after a failover event. Since the requirement emphasizes startup order during failover and not workload separation, this choice does not address the intended configuration goal.

The second choice, VM priority settings, provides built-in functionality designed exactly for controlling the sequence in which clustered virtual machines start after failover or when the cluster service is restarted. With this configuration, each virtual machine can be assigned a priority classification such as high, medium, or low. High priority virtual machines start first, followed by medium priority, then low priority. Additionally, the cluster can be configured to prevent lower-priority virtual machines from starting if resources are insufficient. This ensures that mission-critical workloads always receive resources before less important ones. Because the scenario requires that high-priority machines start first when a node fails, this aligns directly with the required configuration.

The third choice, cluster quorum witness, is used to maintain cluster availability and prevent split-brain scenarios by providing a vote in quorum calculations. It determines whether the cluster can remain online in certain failure conditions. While it is essential for cluster resiliency, it does not influence the startup sequence or prioritization of virtual machines. It improves stability but does not affect workload behavior during failover beyond keeping the cluster operational.

The fourth choice, preferred owner settings, defines which nodes the cluster should attempt to run specific virtual machines on. This affects placement rather than failover startup order. It can ensure certain workloads run on specific hardware whenever possible, but it does not determine which ones start first when nodes fail. Since the requirement is specifically about controlling startup order during failover, this setting does not meet the objective.

Question 16 

You are deploying Azure Arc-enabled servers for a hybrid environment. Your Windows Server 2019 machines must be automatically onboarded into Azure Arc when added to a specific OU. You want this process to occur without manual steps and follow your organization’s configuration standards. What should you implement?

A) Group Policy-based PowerShell startup scripts
B) Desired State Configuration push mode
C) Azure Policy with Arc onboarding
D) System Center Orchestrator runbooks

Answer: A

Explanation: 

Evaluating each presented method helps determine the most appropriate approach to automatically onboard Windows Server machines into Azure Arc upon joining a specific organizational unit. The first choice, Group Policy-based PowerShell startup scripts, offers a native Windows mechanism that executes scripts when computers start. These scripts can contain commands to download and install the Azure Connected Machine agent, register the server with Azure Arc, and apply configuration settings. Because Group Policy applies automatically when a machine is placed in a particular organizational unit, this approach fully meets the requirement of initiating onboarding without manual steps. It also ensures consistent deployment aligned with organizational standards, making it practical for scalable hybrid implementations.

The second choice, Desired State Configuration push mode, relies on administrators manually pushing configuration settings from a management workstation or server. Push mode does not automatically apply when machines enter an OU. It requires administrative initiation for each deployment, which contradicts the requirement for an automated process. Although DSC can manage configuration consistency, push mode lacks the OU-based automation needed for onboarding new systems.

The third choice, Azure Policy with Arc onboarding, is typically used to onboard Azure VMs into Azure Arc or apply governance after the resource is already Arc-enabled. Azure Policy does not automatically install the Arc agent on on-premises machines before they have been registered. It enforces settings within Azure Resource Manager but does not function as an automated onboarding mechanism for newly added on-premises servers. Therefore, it cannot satisfy the requirement of triggering onboarding when a machine is added to an OU.

The fourth choice, System Center Orchestrator runbooks, provides workflow automation for various datacenter tasks. However, Orchestrator does not automatically detect changes in Active Directory OUs unless additional monitoring or integration processes are established. This introduces complexity and does not match the requirement for direct OU-triggered automation. Additionally, Orchestrator’s workflow reliance makes it heavier than necessary for a straightforward onboarding task.

Question 17 

Your organization uses Windows Server Update Services (WSUS) for patch management. Certain servers require delayed installation of security updates because they run critical workloads that can only be restarted during maintenance windows. You need to configure a method that allows updates to be downloaded automatically but installed later. What should you configure?

A) Server-side targeting in WSUS
B) Automatic Updates download-only setting
C) WSUS computer groups with separate approval rules
D) Update cleanup rules

Answer: B

Explanation: 

Considering how WSUS manages updates and how clients apply them helps determine which choice meets the requirement. The first choice, server-side targeting in WSUS, assigns computers to groups on the WSUS server. While this allows different approval workflows for different sets of machines, it does not control whether updates are installed immediately or only downloaded. Server-side targeting simply organizes computers for administrative purposes. It does not instruct the client to download updates but delay installation until a maintenance window.

The second choice, Automatic Updates download-only setting, specifies that client computers automatically download approved updates but do not install them automatically. This ensures timely retrieval of updates without applying them until an administrator or scheduled process initiates installation. This is precisely aligned with the requirement that security updates be downloaded but not installed until an approved maintenance window. Windows Server supports this configuration through Group Policy, which allows environments to synchronize updated binaries early while maintaining scheduling control. Because it fulfills both conditions—automated download and delayed installation—this setting is the most appropriate.

The third choice, WSUS computer groups with separate approval rules, helps control which updates are approved for different sets of servers. While it is useful for phased deployments, it does not inherently enforce delayed installation. Even if approval is controlled per group, once an update is approved for that group, the installation timing is determined by the client’s Automatic Updates configuration. Therefore, approval rules alone cannot ensure that updates are applied only during maintenance windows.

The fourth choice, update cleanup rules, focuses on server maintenance for WSUS itself. These rules remove obsolete updates, unused files, and superseded packages, optimizing WSUS storage. While important for performance, they have no effect on how or when client servers install updates. Cleanup routines do not influence installation scheduling and therefore cannot satisfy the operational requirement.

Question 18 

You manage a Windows Server failover cluster that hosts a SQL Server virtual machine. You must ensure that during planned maintenance on one node, the SQL VM moves to another node automatically without causing downtime. You also need to guarantee that the VM does not reboot during this transition. What should you configure?

A) Quick migration
B) Live migration
C) Storage migration
D) Node drain

Answer: B

Explanation: 

Understanding how each cluster feature behaves during node maintenance is crucial for determining the correct configuration. The first choice, quick migration, saves a virtual machine’s state to disk, transfers ownership to another node, and then restores the saved state on that destination node. While this process avoids a full shutdown, it still interrupts the running state of the virtual machine. Applications experience a brief pause, which can be noticeable for services like SQL Server. Because the scenario requires a transition without downtime, an option that introduces even a brief interruption cannot satisfy the requirement.

The second choice, live migration, transfers the memory, processor state, and network connections of a running virtual machine from one cluster node to another while keeping the machine operational. This process is specifically designed to provide seamless failover during planned maintenance scenarios. Virtual machines remain online, active, and fully functional during the transition. For workloads requiring high availability, such as SQL Server, live migration ensures the continuity required without introducing a reboot or noticeable interruption. This aligns exactly with the need to avoid downtime and maintain service stability when a node undergoes maintenance operations.

The third choice, storage migration, involves moving the storage of a running virtual machine to a different location. Although this can be done while the VM is running, it does not address the process of moving the virtual machine itself to another node. Storage migration alone does not facilitate node maintenance procedures or workload relocation. Since the requirement is about transitioning the VM to another cluster node without downtime, and not moving storage, this does not address the scenario.

The fourth choice, node drain, places a node in maintenance mode and moves clustered workloads to other nodes. While this is helpful for maintenance workflows, node drain relies on the workload’s configured failover settings. If the virtual machine is configured for quick migration, node drain will trigger that behavior. If it is configured for live migration, then node drain can facilitate that as part of the process. However, node drain alone is not the mechanism that ensures no downtime; it merely initiates policies already configured. Because the question asks what should be configured, live migration is the main requirement.

Question 19 

You are configuring Azure File Sync for an on-premises Windows Server environment. You need to reduce storage consumption on local servers by ensuring that only frequently accessed files remain cached locally, while infrequently used files are replaced with stubs. You must maintain full file listing visibility for end users. What feature should you configure?

A) Cloud tiering
B) Namespace optimization
C) File screening
D) Data deduplication

Answer: A

Explanation: 

Evaluating how Azure File Sync interacts with local Windows Server storage helps determine which feature meets the requirement. The first choice, cloud tiering, allows Azure File Sync to store full file content in Azure while keeping only frequently accessed files on-premises. When local disk space is needed, cloud tiering automatically replaces less frequently accessed files with lightweight reparse point stubs. These stubs allow users to see the full file structure without storing the physical file locally. This satisfies the need to reduce local storage usage while preserving full file visibility. It is specifically designed to lower on-premises storage costs and maintain user transparency.

The second choice, namespace optimization, is not a feature within Azure File Sync. While Azure File Sync provides a unified namespace through synchronized file listings, there is no configuration setting called namespace optimization. Because this option does not exist and does not provide the required storage savings functionality, it cannot be the correct choice for this scenario.

The third choice, file screening, is part of File Server Resource Manager and is used to block users from saving certain file types, such as multimedia files or executables, on a file server. This tool does not offload data to the cloud, nor does it manage tiered storage behavior. It helps with organizational policies and file type enforcement but does not reduce storage consumption by replacing files with stubs.

The fourth choice, data deduplication, reduces redundant data on local storage volumes by identifying duplicate file chunks. While this can significantly lower storage usage on file servers, it does not replace files with stubs or integrate with Azure File Sync’s cloud-based architecture. Deduplication works at the volume level and does not provide cloud-based storage extension or caching behavior. It is useful but cannot fulfill the requirement to offload infrequently accessed files to Azure while retaining the namespace.

Question 20 

Your organization requires that Windows Server 2022 virtual machines deployed in Azure automatically receive predefined security baselines, firewall rules, and audit policies immediately after provisioning. You need a centralized method that applies these configurations consistently and enforces compliance over time. What should you use?

A) Group Policy Objects applied over a VPN
B) Desired State Configuration with Azure Automation State Configuration
C) Local Security Policy scripting
D) Windows Admin Center security dashboard

Answer: B

Explanation: 

Understanding how each technology manages configuration state is important for determining the correct choice. The first choice, Group Policy Objects applied over a VPN, can enforce settings for domain-joined machines, but it requires an active VPN connection for Azure virtual machines. Azure VM provisioning does not guarantee immediate VPN connectivity, which means the required baselines may not apply at the moment of deployment. GPOs also rely on periodic refresh cycles, making them less suitable for instant and consistent application of security configurations during initial provisioning.

The second choice, Desired State Configuration with Azure Automation State Configuration, provides a cloud-managed method of applying and enforcing configurations across Windows Server systems. Using DSC, administrators can define configuration documents that detail required security baselines, firewall rules, and audit settings. Azure Automation State Configuration ensures that these configurations are applied immediately after the VM is onboarded and continuously monitors for drift, automatically correcting deviations. This satisfies both requirements: initial provisioning compliance and ongoing enforcement. It is specifically designed for hybrid and cloud environments where direct domain connectivity may not exist.

The third choice, local security policy scripting, would involve executing scripts manually or through post-deployment automation such as custom extensions. While possible, scripts do not provide continuous compliance enforcement. If settings drift or administrators make unauthorized changes, scripts will not automatically reapply configurations unless explicitly scheduled. This does not meet the requirement for consistent and enforced compliance over time.

The fourth choice, Windows Admin Center security dashboard, provides visibility into a server’s security posture and allows administrators to apply recommendations. However, it is not designed for automated enforcement or provisioning workflows. It is best suited for interactive configuration and manual review. The dashboard does not apply settings automatically to newly provisioned Azure VMs and does not offer stateful configuration enforcement.